Analysis Of The Microsoft/RSA Data Loss Prevention Partnership
By the time I post this you won’t be able to find a tech news site that isn’t covering this one. I know, since my name was on the list of analysts the press could contact and I spent a few hours talking to everyone covering the story yesterday. Rather than just reciting the press release, I’d like to add some analysis, put things into context, and speculate wildly. For the record, this is a big deal in the long term, and will likely benefit all of the major DLP vendors, even though there’s nothing earth shattering in the short term.
As you read this, Microsoft and RSA are announcing a partnership for Data Loss Prevention. Here are the nitty gritty details, not all of which will be apparent from the press release:
- This month, the RSA DLP product (Tablus for you old folks) will be able to assign Microsoft RMS (what Microsoft calls DRM) rights to stored data based on content discovery. The way this works is that the RMS administrator will define a data protection template (what rights are assigned to what users). The RSA DLP administrator then creates a content detection policy, which can then apply the RMS rights automatically based on the content of files. The RSA DLP solution will then scan file repositories (including endpoints) and apply the RMS rights/controls to protect the content.
- Microsoft has licensed the RSA DLP technology to embed into various Microsoft products. They aren’t offering much detail at this time, nor any timelines, but we do know a few specifics. Microsoft will slowly begin adding the RSA DLP content analysis engine to various products. The non-NDA slides hint at everything from SQL Server, Exchange, and Sharepoint, to Windows and Office. Microsoft will also include basic DLP management into their other management tools.
- Policies will work across both Microsoft and RSA in the future as the products evolve. Microsoft will be limiting itself to their environment, with RSA as the upgrade path for more complete DLP coverage.
And that’s it for now. RSA DLP 6.5 will link into RMS, with Microsoft licensing the technology for future use in their products. Now for the analysis:
- This is an extremely significant development in the long term future of DLP. Actually, it’s a nail in the coffin of the term “DLP” and moves us clearly and directly to what we call “CMP“- Content Monitoring and Protection. It moves us closer and closer to the DLP engine being available everywhere (and somewhat commoditized), and the real value being in the central policy management, analysis, workflow, and incident management system. DLP/CMP vendors don’t go away- but their focus changes as the agent technology is built more broadly into the IT infrastructure (this definitely won’t be limited to just Microsoft).
- It’s not very exciting in the short term. RSA isn’t the first to plug DLP into RMS (Workshare does it, but they aren’t nearly as big in the DLP market). RSA is only enabling this for content discovery (data at rest) and rights won’t be applied immediately as files are created/saved. It’s really the next stages that are interesting.
- This is good for all the major DLP vendors, although a bit better for RSA. It’s big validation for the DLP/CMP market, and since Microsoft is licensing the technology to embed, it’s reasonable to hope that down the road it may be accessible to other DLP vendors (be aware- that’s major speculation on my part).
- This partnership also highlights the tight relationship between DLP/CMP and identity management. Most of the DLP vendors plug into Microsoft Active Directory to determine users/groups/roles for the application of content protection policies. One of the biggest obstacles to a successful DLP deployment can be a poor directory infrastructure. If you don’t know what users have what roles, it’s awfully hard to create content-based policies that are enforced based on users and roles.
- We don’t know how much cash is involved, but financially this is likely good for RSA (the licensing part). I don’t expect it to overly impact sales in the short term, and the other major DLP vendors shouldn’t be too worried for now. DLP deals will still be competitive based on the capabilities of current products, more than what’s coming in an indeterminate future.
Now just imagine a world where you run a query on a SQL database, and any sensitive results are appropriately protected as you place them into an Excel spreadsheet. You then drop that spreadsheet into a PowerPoint presentation and email it to the sales team. It’s still quietly protected, and when one sales guy tries to email it to his Gmail account, it’s blocked. When he transfers it to a USB device, it’s encrypted using a company key so he can’t put it on his home computer. If he accidentally sends it to someone in the call center, they can’t read it. In the final PDF, he can’t cut out the table and put it into another document. That’s where we are headed- DLP/CMP enmeshed in the background, protecting content through its lifecycle based on central policies and content and context awareness.
In summary, it’s great in the long term, good but not exciting in the short term, and beneficial to the entire DLP market, with a slight edge for RSA. There are a ton of open questions and issues, and we’ll be watching and analyzing this one for a while.
As always, feel free to email me if you have any questions.
-rich
bhasker Dec 4
Excellent analysis…
Out of curiosity: Do you work for either of these two?
-Bhasker
Anonymous Dec 5
Hi Rich,
Regarding your last comment (”Now just imagine…”), it is a reality, NOW!
We have just launch our new solution that “at content creation” applies DRM on data items (whether it is files, mails, application, and web)…And protection moves along with the content even when you do copy/paste for example…so when you generate a report from your sql to your Excel, it will be protected. Then drop it to an email, it will inherit transperently the protection also…and much more…
The uniqueness here is the ability to monitor and enforce with appropriate DRM protection at the transtion from structure to unstructure data. At this point, you still can classify it as a structure data, you know the context(for exmple the source that generated the report and from where) so you have limited chances to have false positives. In addition, you have an increase of security because at content creation the protection is applied (unlike when you do scanners).
Yuval
Yuval Eldar Dec 5
Regarding your last comment (”Now just imagine…”), it is a reality, NOW!
We have just launch our new solution that “at content creation” applies DRM on data items (whether it is files, mails, application, and web)…And protection moves along with the content even when you do copy/paste for example…so when you generate a report from your sql to your Excel, it will be protected. Then drop it to an email, it will inherit transperently the protection also…and much more…
The uniqueness here is the ability to monitor and enforce with appropriate DRM protection at the transtion from structure to unstructure data. At this point, you still can classify it as a structure data, you know the context(for exmple the source that generated the report and from where) so you have limited chances to have false positives. In addition, you have an increase of security because at content creation the protection is applied (unlike when you do scanners).
Yuval
Steve H Dec 5
A clear, informative article.
The scenarios outlined in your final comment have been available for some time, both from my own company and from one other, long-establised, EDRM vendor.
However, the model used by such systems can have significant implications.
The model employed by our system (P2P) does not make use of a license server (as does, for example, RMS). Instead, the access control options (including the option of restricting access by geographic location, using GPS) and associated rights restrictions are built into the protected document.
There are a number of practical advantages of non-reliance on a license server: offline transparent protection of content from inception and transparent and controlled use of content, both within and outside of an organisation, simplified access to protected content by third parties (e.g. for collaboration), simplified integration with document portals, such as SharePoint, simplified usage with Cloud environments, etc.
Frank Dec 5
Richard,
Detection is one side of the equation, RMS key management is another. How do you recommend protecting the underlying key infrastructure?
We’re having a discussion around this for an RMS project and are considering nCipher HSMs (http://www.ncipher.com/) to protect the keys in Microsoft’s RMS system. I would very much value your opinion.
Frank
rmogull Dec 5
@bhasker
Great question. I’ve done work in my past with both companies, but have no active contracts right now. I also work (or have worked) with all of their major competitors (I’ve disclosed the list on this site before, just search on “transparency”.
I try to be as open as possible as to which companies I work with. While we consider objectivity and transparency the single most important traits of a good analyst, we recognize that it can be perceived as bias when we except any money from vendors. Unfortunately, we haven’t found a business model yet where we can completely eliminate that source.
Thus we do our best, put it all out in the open, and leave it up to you to decide. We also understand that once we’re biased, we lose any value at all- to you, the vendors, or anyone else.
rmogull Dec 5
@yuval,
Yes, and as you know I’m familiar with your product, but I think we all have to admit there are advantages when that’s built into the infrastructure by the infrastructure vendors. Also, it’s the content awareness using robust policies that makes it key.
But as you know, I’m biased towards fully content-aware solutions. I also think that should things work out well, you have a good chance to eventually be part of this ecosystem.
rmogull Dec 5
@steve-
The piece that I haven’t seen from any EDRM vendor is content awareness. I consider this the key to EDRM expanding from the niche market it is today into wide deployment. To my understanding, no EDRM vendor has that and it’s the DLP vendors partnering with EDRM vendors (or just plugging into RMS) that provides that.
Since I’m unfamiliar with your product, I can’t comment on the license server issue. I encourage you to contact us for a briefing (we never charge for that, it’s free to anyone).
Jeffrey Pound Dec 6
You know at work I’ll be loving this as it looks like it will provide a consolidated approach to protecting sensitive data.
But at home I may be hating it. I hate black hat hackers, but I can sometimes catch a glimmer of why they do things. One recent issue that had me looking to maybe get the complier out was the announced closing of a DRM site. Look at those who are going to lose access to all of their music files that were licensed with the soon to go away licensing site.
Something needs to be done so that your legal data stays available to you for your use… even if the company moves on. Escrow maybe…..
If you have a legal disk you should be able to listen to the data on it….
Sorry for rant but…
-jeff
rmogull Dec 8
Jeffrey,
I feel the exact same way about consumer DRM- but I’m not as opposed to enterprise DRM. The DRM authorization server, in this case, is your own server. Your entire directory infrastructure would have to collapse for you to lose your data, it isn’t as simple as losing a single central source.
ds Dec 29
Just saw this post, and it reminds me of conversations I’ve had with both RSA and Symantec. First, I’m wondering how long before Symantec extends their relationship with Liquid Machines to include more RM into Vontu. But what really surprises me, and what I’d asked RSA about over a year ago, is why they aren’t integrating Tablus and what used to be Authentica. I know Tablus loved to trot out MS as a reference customer, but you’d think EMC would use their own ERM engine, if it was any good, as a primary integration.
rmogull Dec 29
That’s a *really* good question. My rough guess is that there’s a lot more bang for the buck with RMS, and AUthentica will be worked in at some point. Also, it’s that MS licensed Tablus… I think that really affected direction.